Linux admins need to get busy patching, as a newly discovered bug has emerged in the kernel's tty handling – and it lets logged-in users crash the system, gain root privileges, or otherwise modify and access data they shouldn't.
This memory corruption flaw is certainly nothing like OpenSSL's remotely exploitable Heartbleed – CVE-2014-0196:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0196 But this local root hole is problematic where users are sharing the same Linux host in the cloud.
Here's how US-CERT described the issue:
https://www.us-cert.gov/ncas/bulletins/SB14-132“The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the 'LECHO & !OPOST' case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings.”A user only needs shell access to be in a position to exploit the programming blunder.
The bug was introduced in 2009 with version v2.6.31-rc3 of the kernel. Before that, as noted at this Novell SUSE security discussion, “pty [the pseudo-terminal – El Reg] was writing directly to a line discipline without using buffers”:
https://bugzilla.novell.com/show_bug.cgi?id=875690Ubuntu has been patched:
http://www.ubuntu.com/usn/usn-2204-1/ , Red Hat is working on a fix for its Enterprise Linux 6 and Enterprise MRG 2 distos (RH Enterprise Linux 5 isn't affected):
https://bugzilla.redhat.com/show_bug.cgi?id=1094232 OpenWall has also patched:
http://www.openwall.com/lists/oss-security/2014/05/05/6 Debian's patches will arrive here:
https://security-tracker.debian.org/tracker/CVE-2014-0196There's an unreliable proof-of-concept here:
http://bugfuzz.com/stuff/cve-2014-0196-md.c(ElReg)